Re: change password_encryption default to scram-sha-256?

From: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
To: "Jonathan S(dot) Katz" <jkatz(at)postgresql(dot)org>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, Heikki Linnakangas <hlinnaka(at)iki(dot)fi>, Andres Freund <andres(at)anarazel(dot)de>, David Fetter <david(at)fetter(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: change password_encryption default to scram-sha-256?
Date: 2019-04-08 17:34:12
Message-ID: 20190408173412.GA8882@alvherre.pgsql
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

I'm not sure I understand all this talk about deferring changing the
default to pg13. AFAICS only a few fringe drivers are missing support;
not changing in pg12 means we're going to leave *all* users, even those
whose clients have support, without the additional security for 18 more

IIUC the vast majority of clients already support SCRAM auth. So the
vast majority of PG users can take advantage of the additional security.
I think the only massive-adoption exception is JDBC, and apparently they
already have working patches for SCRAM.

Like many other configuration parameters, setting the default for this
one is a trade-off: give the most benefit to most users, causing the
least possible pain to users for whom the default is not good. Users
that require opening connections from clients that have not updated
should just set password_encryption to md5. It's not like things will
suddenly blow up in their faces.

IMO we don't need to wait until every single client in existence has
updated to support SCRAM. After all, they've already had two years.

Álvaro Herrera
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2019-04-08 17:37:23 Re: Pluggable Storage - Andres's take
Previous Message Fabien COELHO 2019-04-08 17:32:51 pgbench - add \aset to store results of a combined query